Service Développement wrote:
...
I agree with you that objects are created with PIN protection if auth_id
is empty. But, it's not the goal of this modification.
^ a 'not' is missing here
The pkcs#11 documentation says that "The common Objects attributes
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL must be specified when
object is created."
So, my application have to create some data objects with the attribute
CKA_PRIVATE to TRUE, and others with CKA_PRIVATE to FALSE.
Without this modification (flag receive SC_PKCS15_CO_FLAG_PRIVATE), when
this application list the differents created data objects, all of them
have the CKA_PRIVATE attribute to FALSE !! Why ? Because, by default,
data objects in pkcs#15 are created with DEFAULT_DATA_FLAGS (0x02) in
the function sc_pkcs15init_new_object.
The CKA_PRIVATE attribute is not managed between the opensc pkcs#11
structure and the differents pkcs#15 structures. there is no parameter
to change it.
one might consider this a bug ... Perhaps one should set 'private'
flag in sc_pkcs15init_new_object() if and only if the auth_id object
isn't empty (well except for pin objects perhaps ...).
That's why i added this modification. I think that if PKCS#11 allows the
management of CKA_PRIVATE attribute, the PKCS#15 have to manage it too.
Maybe there is another solution with the existing parameters, but i
didn't find how to do it...
So, to conclude, this modification is not made for protecting the data
objects, but it allows an application to differentiate private data and
public data.
hmmm, "private" data object are by definition protected
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
